[security] security

[Martin Atkins]

Eddy Nigg (StartCom Ltd.) wrote:
> 
> A central repository of a list of registered IDP's. The RP can define if 
> he wants to check with that list or not.
> If yes, the RP checks with the list and receives a green light, else it 
> fails.
> 

As has been noted a few times, OpenID is focused on solving a very 
particular problem, and that problem does not include trust. Mostly 
we've been talking about trust of Identifier URLs so far, but this 
applies to IdPs as well.

RPs are, per the spec, free to refuse to associate with a given IdP 
based on whatever criteria they choose. The upshot of this is that a 
separate effort, independent of the OpenID auth spec, can provide some 
kind of trust system — possibly based on the system you describe — for 
IdPs. RPs can choose to use your system, or they might use someone 
else's system. This is consistent with the decentralized spirit of OpenID.

Since this seems to be your area of expertise and an area of interest to 
you, I encourage you to write up a more formal proposal — on the wiki, 
for example — for some kind of protocol for checking IdP trust which can 
be employed by RPs as one of their mechanisms for discriminating against 
IdPs. However, the whole subject of inter-party trust is deliberately 
not considered in OpenID; we're not trying to save the world. :)